Authorization policies are used to control access to security-critical services in distributed environments such as computer networks. Such authorization policies can be defined using associated authorization languages, which provide flexibility and expressiveness in the policy specification. These languages allow the authorization policy to be written explicitly as a list of declarative rules.
Requests for access to security-critical services are received at a reference monitor, which is a service serving requests from user terminals. The reference monitor queries an authorization node executing the authorization policy. Access for the user is granted only if the authorization node evaluating the policy succeeds in proving that the request complies with the local policy.
As authorization languages become more expressive, the risk of attack through complex, carefully formulated requests increases. For example, credential-based (also called “claims-based”) policy languages for authentication/authorization are becoming increasingly widely used. Such languages subscribe to what is known as the trust management principle: authorization decisions are based on the local policy in union with a (potentially empty) set of supporting credentials (containing assertions) submitted by the requester. Access requests are mapped to queries, so that access is granted if the corresponding query succeeds when evaluated in the context of the policy and the submitted credentials.
If the supporting credentials exceed a certain level of expressiveness, it may become possible for attackers to infer knowledge about secret facts stored in the local policy, just by submitting credentials and observing the response to a legitimate query. Such attacks are known as “probing attacks”. It is difficult to determine whether a confidential fact within an authorization policy is vulnerable to such a probing attack. Some authorization languages do not allow submitted credentials to contain any conditions, and thus avoid this type of attack. However, this restriction on expressiveness of the authorization language is too high a price to pay in general.
The embodiments described below are not limited to implementations which solve any or all of the disadvantages of known authorization systems.